chromebook-chrome-os-google-cloud-0

Google’s Pwnium 4 Hacking Contest Will Pay Out Over $2.7 Million In Rewards Money

January 23, 2014 - Written By Patrick Northcraft

Chrome OS is still a growing entity.  I for one just bought and received my Acer C720 Chromebook not even two days ago, and I’m already in love with it.  A major concern for some people who are considering making the switch to Chrome OS is the security of the new system, and Google understands this.  That is why they are continuing their tradition of security testing on a large scale.  This year, Google will be hosting the fourth competition dedicated to finding security flaws in Chromium, aptly named ‘Pwnium 4’.  They will be giving away a total of $2.71828 million in prize money, which is also the mathematical constant ‘e’ for all you fellow math geeks at heart.  The general winnings will be given away in the following denominations for the following reason:  $110,000 for finding a browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page; $150,000 for finding a compromise with device persistence, specifically a guest-to-guest with interim reboot, delivered via a web page.

If someone actually manages to hack Chrome OS, Google will cut them a nice six-figure check.  They will also give out major bonuses if anyone can do what they call “a particularly impressive or surprising exploit”, such as defeating kASLR, exploiting memory corruption in the 64-bit process, or exploiting the kernel directly from the renderer process.  For those curious, kASLR stands for kernel address-space layout randomization, which means that essentially the kernel will not be in a fixed address, instead randomizing its location at boot time. This year, participants can choose to use either the ARM-based Chromebook (the HP Chromebook 11 Wi-Fi) or the Acer C720 Chromebook Wi-Fi with 2GB of RAM.  Any attacks must be shown against one of those devices running whatever version of Chrome OS is deemed stable at the time.  All software that is included with the stock versions of these Chromebooks may be used as part of the attack.  For those of you tech-savvy enough to do this, shoot an e-mail to security@chromium.org.  You must pre-register for a spot to demonstrate your exploit.  Registration closes at 5:00 p.m. PST on Monday, March 10, 2014.  Please be sure to check out the official rules, located at the source material, before registering.  Do any of you feel confident enough to do this?  Does it make you feel a little more comfortable that Google is going through so much effort to ensure the security of their Chromebooks?  Let us know your thoughts in the comments!